US8037459B2

Movatterモバイル変換

Info

Publication number: US8037459B2
Application number: US11/830,946
Authority: US
Inventors: Ananth Narayan Mavinakayanahalli; Prasanna S. Panchamukhi
Original assignee: International Business Machines Corp
Current assignee: International Business Machines Corp
Priority date: 2007-07-31
Filing date: 2007-07-31
Publication date: 2011-10-11
Also published as: US20090037710A1

Abstract

A system and method for instrumentation of software, the software comprising a set of instructions (program or code) which are executable on a processor of a system, for example a computer system. A location in the instruction to insert a probe is first identified. The instruction is replaced with the probe by copying the instruction to a predefined location. The instruction is executed in the kernel space. A first exception is generated upon encountering the probe and calling a first exception handler, and the first exception handler is configured to call an instrumentation routine. A second exception is generated when the instrumentation routine encounters an error and calling a second exception handler, recovering from the exceptions and returning to a sane state to continue normal execution of the instruction.

Description

FIELD OF THE INVENTION

This invention relates to exception handling, and in particular to software for detecting and robustly recovering from nested exceptions when software is executing in kernel mode.

BACKGROUND OF THE INVENTION

Conventionally, dynamic instrumentation mechanisms such as profiling/tracing infrastructure run in the exception context. Such mechanisms typically work by modifying the text stream at the desired location to induce a software exception, trap the exception and as a consequence, are able to run the instrumentation code, which then gathers the required data. It is especially critical that the instrumentation code run is robust, free of errors and does not induce any subsequent exceptions, potentially causing irreparable damage to the system, and more so when the instrumentation code is run in kernel mode to gather relevant kernel data.

Typically, operating systems define a default exception handler for every exception, such that, when an exception occurs, the operating system saves the current system state (specifically, the registers at the time of exception), and this system state is passed on to the system's default exception handler. In normal circumstances, the system's default exception handler executes and then while returning from the exception handler the system state is restored from the earlier saved system state. Thus, the operating system continues its normal execution after handling the exceptions.

Instrumentation of the software can be done in various ways, for example:

By hooking the system exception handlers to call into the instrumentation code, where the exceptions are not induced, but normally occur as a normal consequence of program execution (such as page-faults). By hooking the page-fault exception handler itself, it becomes possible to run instrumentation code; or

Inducing exceptions by inserting code in the normal program stream and/or using the platform-provided hardware debug facilities to generate exceptions when the inserted code is executed.

When such instructions are executed, the exception handler is invoked. This exception handler in turn executes the instrumentation code, and is configured to collect the required information in the exception context.

FIG. 1A illustrates an embodiment ofconventional exception processing100. Everyexception110 will have associated with it, adefault handler120 that the operating system will run, in case the saidexception110 occurs. In the conventional case, when anexception110 occurs, thedefault exception handler120 will run and take care of executing specific actions to recover from theexception110.FIG. 1B illustrated an embodiment ofexception processing101 with instrumentations code. Aprogram text105 such as a set of instructions is executed on a system.Most instrumentation code130 run off thesystem exception handler120. Given that the system state is provided as input at the entry to theexception handler110, theinstrumentation code130 will also have access to the instrumentation code. The exception stage and the return from exception stage occur between immediately before and after thesystem exception handler120 is executed.

FIG. 1C illustrates an embodiment ofexception processing102 using setjmp( ) and/or longjmp( ) trampolines as in the prior art. Here, the function calls or trampolines setjmp( )125 and/or longjmp( )150 to try and recover from nested exceptions. When theprogram105 is instrumented a first exception occurs, which is handled by the firstsystem exception handler120, preferably a known system state wherein the trampoline setjmp( )125 is assigned to the first system exception and is configured to save the register context after which aninstrumentation code130 gets executed. Under normal circumstances, theinstrumentation code130 executes fine and returns to the trampoline setjmp( )125, from where it is possible to return to the firstsystem exception handler120.

If theinstrumentation code130 generates another further exception, which is typically encountered in the case of nested exception, an entry is recognized to be due to anerror140 that occurred due toinstrumentation code130, the error being caused for example by bugs in theinstrumentation code130, while already inexception context120 and therefore the trampoline longjmp( )150 is executed so as to do a jump to the known sane system state in the firstsystem exception handler120. This will lead to a situation where the number of exception entries is more than the number of exception returns. This will lead to a situation where the exception stack is not offset correctly due to unbalanced entry/return from exceptions. We may end up with a situation where the stack corruption and/or return from interrupt exceptions lead to incorrect system operation down the line.

Without a way to provide a method to restore the system from nested kernel exception and bringing the system back to sane state during instrumentation, the promise of this technology may never be fully achieved.

SUMMARY OF THE INVENTION

Accordingly, the present invention provides a system and method for instrumentation of software, the software comprising a set of instructions (program or code) which are executable on a processor of a system, for example a computer system. A location in the instruction to insert a probe is first identified. The instruction is replaced with the probe by copying the instruction to a predefined location. The instruction is executed in the kernel space. A first exception is generated upon encountering the probe and calling a first exception handler, and the first exception handler is configured to call a instrumentation routine. A second exception is generated when the instrumentation routine encounters an error and calling a second exception handler. Returning to a trampoline [longjmp( )] occurs instead of returning to the instrumentation routine that generated the exception. Recovery from the first and second exceptions occurs and a sane state is restored by the trampoline [longjmp( )].

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A illustrates a prior art embodiment ofconventional exception processing100.

FIG. 1B illustrates a prior art embodiment ofexception processing101 with instrumentations code.

FIG. 1C illustrates a prior art embodiment ofexception processing102 using setjmp( ) and/or longjmp( ) trampolines.

FIG. 2 illustrates an exemplary embodiment of amethod200 of exception processing in accordance with the present invention.

FIG. 3 illustrates an exemplary embodiment of asystem300 on which the method ofFIGS. 1-3 may be implemented.

DETAILED DESCRIPTION

Where reference is made in any one or more of the accompanying drawings to steps and/or features, which have the same reference numerals, those steps and/or features have for the purposes of this description the same function(s) or operation(s), unless the contrary intention appears. The terms “software”, “code”, “program”, “computer program”, “set of instructions” or “instruction” are used synonymously. The term “probe” or breakpoint” is also used synonymously. The terms “exception” or “exception handling” or “programming language construct” or “run time error condition” are used synonymously and mean a computer hardware mechanism designed to handle runtime errors or other problems (exceptions) which occur during the execution of a computer program.

Exceptions are a control transfer mechanism, usually used to treat a special case or handle an error condition. Exceptions are error conditions caused by an illegal instruction. Exceptions typically are synchronous events, in contrast to interrupts, which are asynchronous Exceptions can be hardware-related or software-related errors. For example, exception handling is a C++ mechanism that allows a detector of an error to pass an error condition to code (the exception handler), for example an instrumentation code, that is prepared to handle such an exception. Typically, an exception is raised by a throw statement within a try block and handled by a catch clause. Exceptions are sometimes also referred to a condition, often an error, which causes the program or microprocessor to branch into a different routine. The terms interrupt and exception are very close in meaning. Both can be used to refer to either hardware or software. Performing some actions in response to the arising of an exception is referred to as handling the exception.

FIG. 2 illustrates an exemplary embodiment of a method forinstrumentation200 of exception processing in accordance with the present invention. The embodiment disclosed here is with reference specifically to the Intel architecture, as an example. It should be apparent to a person skilled in the art that this analogy can be extended to other architectures as well. The method forinstrumentations200 i.e., exception processing using setjmp( ) and/or longjmp( ) function calls. The setjmp( )125 and/or longjmp( )145 function calls, i.e., trampolines are typically used to try and recover from nested exceptions. Here, two trampolines (hereinafter also referred to as functions) setjmp( )125 and longjmp( )150 are used to recover from nested exceptions that can occur during instrumentation in the kernel mode. When theprogram205 is instrumented a first exception occurs, which is handled by the firstsystem exception handler220, preferably a known system state wherein the trampoline setjmp( )225 is assigned to the first system exception and is configured to perform the following tasks

- 1. Store a frame pointer,
- 2. Store a stack pointer,
- 3. Store a program counter, and
- 4. Store general purpose register ESI, EDI and EBX, where ESI<EDI and EBX are register names in the Intel architecture,
  before execution of the instrumentation code230. Under normal conditions of instrumentation of theprogram205, the instrumentation code230 executes satisfactorily and returns to the trampoline setjmp( )225, from where it is possible to return to the firstsystem exception handler220.

If the instrumentation code230 during instrumentations does not generate an exception, wherein a check is made140, then the control is transferred back to the known system state setjmp( )225. If during instrumentation, a check is performed at140 and it is determined that a further exception has been generated in the instrumentation code, which is typically encountered in the case of nested exception, thefault handler145 is executed. Thefault handler145 is configured to perform the following tasks

- 1. reset instruction pointer to the trampoline—longjmp( ) trampoline
  an entry is recognized to be due to anerror140 that occurred due toinstrumentation code130, the error being cause for example by bugs in theinstrumentation code130. After thefault handler145 has reset instruction pointer to the trampoline, thefault handler145 passes control to the longjmp( ) trampoline.

The longjmp( ) trampoline250 is executed to such that the system recovers from the nested kernel exceptions and the system is brought back to a sane state. The longjmp( ) trampoline is configured to perform the following tasks

- 1. Restore the frame pointer
- 2. Restore the stack pointer
- 3. Restore the program counter
- 4. Restore the general purpose registers ESI, EDI and EBX
  After performing these tasks the longjmp( ) trampoline recovers from the nested kernel exceptions thereby bringing the system back to a sane state to continue performing normal executions.

In a further embodiment, the method for instrumentation of software, where the software typically consists of a set of instructions, includes first identifying a location in the instruction to insert a probe. After identifying a location where the probe needs to be inserted the next step included replacing the instruction with the probe by copying the instruction to a predefined location. The next step includes executing the instruction in the kernel space. The next step includes generating a first exception upon encountering the probe and calling a first exception handler, and the first exception handler is configured to call a instrumentation routine. The next step includes generating a second exception when the instrumentation routine encounters an error and calling a second exception handler. And finally recovering from the exceptions and returning to a sane state to continue normal execution of the instruction.

Prior to performing the step of replacing the instruction, the method includes a step of associating an instrumentation routine to be executed upon encountering the inserted probe, wherein the instrumentation routine enables a user to relevant tracing or debugging information. The tasks performed by the method have been disclosed previously, which include amongst other saving a system register state as part of the first exception; executing the first exception handler; saving the register contents of a first trampoline [setjmp( )] prior to executing the instrumentation routine. Saving register contents includes collecting essential debug information. The second exception handler returns to a second trampoline [longjmp( )] instead of returning to the instrumentation routine that generated the exception, wherein the second trampoline [longjmp( )] restores the system to sane state and continues normal execution. In a further embodiment, replacing the instruction with a breakpoint instruction further comprises flushing the processor cache if required.

A distinct advantage of this disclosure is the introduction of a trampoline between the exception handler and the instrumentation code. This trampoline is configured for saving data corresponding to a known sane system state, using a suitable mechanism, one of which is via a setjmp( ), before invoking the user defined instrumentation code. The instrumentation code now runs in the said exception context. Under normal circumstances, the instrumentation code executes in a satisfactory manner and returns to the trampoline, from where return to the system exception handler is possible. If the instrumentation code generates a further exception, this is a case of nested exception, an entry is then made into the system's fault handler.

In the fault handler, it is determined that the entry is due to a fault that occurred as a consequence of running while already in exception context and hence modify the address to return from this exception to point to a longjmp( ) trampoline. Under normal exception handling, once the exception is handled, control is returned back to the point in code where the exception was generated. In this case modify the return address to point to a known location [trampoline longjmp( )]. After completion a return from exception (this return is for the second/nested exception) is performed. As a consequence, the pointer is now at a known location [trampoline longjmp( )] where information can be gathered as discussed previously. After the longjmp( ) is executed, automatically control is transferred to the system exception handler. From this point on, execution continues as normal. An advantage of the above is that such robust fault handling in kernel probes (kprobes) in Linux can be used efficiently.

In a further embodiment,FIG. 3 illustrates an exemplary embodiment of asystem300 on which the method ofFIG. 2 may be implemented. Thesystem300 preferably a processing system or a computing system, include and are not limited a variety of electronic devices such as desktop computers, application servers, web servers, database servers and the like and portable electronic devices such as mobile phones, personal digital assistants (PDAs), pocket personal computers, laptop computers, and the like, which are capable of instrumenting software and generating a UML protocol state machine. It should be apparent to a person skilled in the art that any device, e.g. electronic devices, portable electronic devices, handheld electronic devices and the like, which includes at least a processor and a memory configured execute scripts falls within the scope of the present invention.

Thesystem300 includes at least a processor and a memory in which the present invention may be implemented is depicted in accordance with one embodiment. Thesystem300 depicted includes asystem unit302, which further includes essential hardware components such as a microprocessors, memory, connectors, system bus, power unit etc (some of which are not shown in the figure), avideo display terminal304, aninput device306, the input device including a keyboard, mouse, a joystick, touchpad, touch screen, trackball, microphone, etc., andstorage devices308, which may include floppy drives and other types of permanent and removable storage media. Although the depicted representation shows a standalone system300, further embodiments of the present invention may be implemented in other types ofsystems300, coupled over a network. For example a wired network, wireless network work or a combination thereof. Thesystem300 also preferably includes a graphical user interface (GUI) that may be implemented by means of systems software residing in computer readable media in operation within the system.

The memory associated with anysystem300 is typically is an electronic holding place for instructions and/or data accessed, such as a semiconductor device e.g. random access memory (RAM), such that microprocessor of thesystem300 can access the instruction and/or data rather quickly. When the system is in normal operation, the memory usually contains the main parts of the operating system and some or all of the application programs and related data that are being used by the computing system. Accessing data via the memory is faster than reading from a hard drive, so having a larger RAM makes it quick to retrieve recently accessed files, applications, and other data. Further, all programs must be run through the memory before they can be used. Thesystem unit302 typically containing these components is used for processing and/or executing and instrumenting the software. Theinput device306 is to record the user input and data may be entered via thisinput device306 to perform specific functions. Thevideo display terminal304 is used to display the results to the user, for example the recorded input, the changed input, the associated actions, the responses etc; and is configured the method disclosed previously.

For those of ordinary skill in the art will appreciate that the hardware depicted inFIG. 3 may vary. For example, other peripheral devices, such as optical disk drives and the like, also may be used in addition to or in place of the hardware depicted. The depicted example is not meant to imply architectural limitations with respect to the present invention. The system depicted inFIG. 1 may be, for example, an IBM eServer pSeries® system, a product of International Business Machines Corporation in Armonk, N.Y., running the Advanced Interactive Executive (AIX™) operating system or LINUX™ operating system.

EXAMPLE

Consider the software as defined below.

A program is defined as a sequence of instructions. Consider a program to add two numbers. Such a program would contain the following instructions for the addition:

- 1. Get the first number
- 2. Get the second number
- 3. Add the two numbers
- 4. Print the result of addition

The above program may be translated into the following pseudo code:

- 1. get A
- 2. get B
- 3. add A, B
- 4. print result
  This program contains four instructions. Consider that this program needs to be debugged using a method of dynamic instrumentation. The strategy is to find out the values of the two numbers before the step of adding the number, such that verification may be performed to determine whether the program uses the correct input values or not. The disclosed invention is detailed below:

The first step includes identifying a location to put a probe or breakpoint: a probe or breakpoint at “location 3”, so that the program execution can be broken by the probe at “location 3” and it becomes possible to determine the inputs to the program.

The second step includes copying the original instruction at the identified into an allocated memory. A breakpoint instruction needs to be inserted at “location 3” and therefore the original instruction at “location 3” (3: add A, B) should not be overwritten. Therefore, the original instruction is stored or saved at a safe location; for example, an allocated memory address, referenced as original_instruction_address.

The third step includes replacing the original instruction with a breakpoint instruction. Once the original instruction has been saved, the breakpoint instruction is inserted. After inserting the breakpoint instruction, the program defined above is:

- 1. get A
- 2. get B
- 3. BREAK HERE
- 4. print result
  where the original_instruction_address: add A, B; indicating that the instruction as “location 3” is stored/saved at the desired location.

The fourth step includes generating an exception when the breakpoint is encountered. When the program execution encounters the breakpoint at “location 3”, an exception is generated and the control is transferred to an exception handler. The exception handler is a routine provided by Operating System Kernel, where required debugging information can be logged. For example, the values of A and B need to be logged.


	first_exception_handler( )
	{
	}

The fifth step includes exception handler saving register context before executing the instrumentation code. Before the exception handler calls the instrumentation code, it saves sufficient register context in a trampoline called setjmp( ). This information is helpful to recover from any other exceptions such as faults that occur during executing the instrumentation code.


	first_exception_handler( )
	{
	if (setjmp( ) ==0) {
	return 1;
	}
	instrumentation_code( );
	}

The sixth step includes instrumentation code generating another exception and the second exception handler gets executed. If the instrumentation code executing in the exception code generates another exception, then the system becomes unstable and may cause system crash. Thus the second exception handler gets executed:


	instrumentation_code( )
	{
	char *p =NULL;
	*p = 1000; <<<<<<<<<<<<<<Generates 2^ndexception
	}

The seventh step includes returning to the longjmp( ) trampoline, which is an important aspect of this disclosure. Check if the second exception is due to instrumentation code that was executed in the first exception context. In such a case, return to the longjmp( ) trampoline instead of returning to the instrumentation instructions that were executed in the first exception context which cased second exception, thus returning from the second exception context.


	second_exception_handler( )
	{
	return to longjmp_trampoline( )
	}

The eighth step includes restoring the system to a sane state. Now the control is at the first exception context, this longjmp( ) trampoline restores the system to a sane state using the register information saved in the fifth step described previously.


	longjmp_trampoline( )
	{
	restore state from setjmp( );
	return to exception handler;
	}

The system exception handler, rather than calling the instrumentation code directly, interfaces through an intermediate routine, that takes care of saving the return address and the system state (setjmp( ) buffer) so as to help recover from any subsequent exception. If the instrumentation code generates another exception, the exception handler that gets executed (via the fault handler) will take care to reset the return address from the exception, to a known trampoline address. The trampoline code will then use the information gathered to redirect a return from exception to the return address at the system exception handler and not to the point in instrumentation code that generated the exception.

As disclosed above, thesystem300 comprising a processor, a memory, a computer readable medium coupled to the processor, and a software comprising instruction encoded in the computer readable medium and executable by the processor causing the processor to perform the steps as disclosed previously. The system is configured to execute the instruction in the kernel space wherein a probe is inserted at an identified location of the instruction and the instruction being copied to a predefined location. The system further generates a first exception upon encountering the probe and calling a first exception handler and the first exception handler is configured to call a instrumentation routine. The system further generates a second exception when a instrumentation routine encounters an error and calling a second exception handler. Finally the system is configured to return the system to a sane state to continue normal execution of the instruction by recovering from the exceptions.

In a further embodiment is disclosed a computer program product comprising a computer readable medium having a computer readable program comprising software, wherein the computer readable program when executed on a computer causing the computer to: execute the instruction in the kernel space wherein a probe is inserted at a identified location of the instruction and the instruction being copied to a predefined location; generate a first exception upon encountering the probe, save a system register state as part of the first exception; execute the first exception handler; save the register contents of a first trampoline [setjmp( )] prior to executing a instrumentation routine, and the first exception handler is configured to call the instrumentation routine; generate a second exception when a instrumentation routine encounters an error and calling a second exception handler, the second exception handler returns to a second trampoline [longjmp( )] instead of returning to the instrumentation routine that generated the exception; the second trampoline [longjmp( )] configured to recover from the exceptions and return to a sane state.

In a further embodiment a signal bearing medium tangibly embodying a set of instructions, preferably machine readable instruction executable on a processor of a computing system, the set of instruction when loaded on the processor of the device and execute thereon is configured to perform the method as disclosed previously, thereby bringing the system back to sane state and continue normal execution of the program.

The accompanying figures and this description depicted and described embodiments of the present invention, and features and components thereof. Those skilled in the art will appreciate that any particular program nomenclature used in this description was merely for convenience, and thus the invention should not be limited to use solely in any specific application identified and/or implied by such nomenclature. Therefore, it is desired that the embodiments described herein be considered in all respects as illustrative, not restrictive, and that reference be made to the appended claims for determining the scope of the invention.

Although the invention has been described with reference to the embodiments described above, it will be evident that other embodiments may be alternatively used to achieve the same object. The scope of the invention is not limited to the embodiments described above, but can also be applied to software programs and computer program products in general. It should be noted that the above-mentioned embodiments illustrate rather than limit the invention and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs should not limit the scope of the claim. The invention can be implemented by means of hardware comprising several distinct elements.